Message 284408 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	symphorien
Recipients	symphorien
Date	2016-12-31.19:00:29
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1483210830.52.0.920210756798.issue29125@psf.upfronthosting.co.za>
In-reply-to

Content
The tkinter.tix module looks for a Tix installation in the directory specified by the TIX_LIBRARY environment variable, but blindly trusts that it is a path in the filesystem. This enables a shell injection : TIX_LIBRARY='/dev/null}; exec gsimplecal;' python2 -c "from Tix import Tk; Tk()" or TIX_LIBRARY='/dev/null}; exec gsimplecal;' python3 -c "from tkinter.tix import Tk; Tk()" Python execs gsimplecal, waits on its completion and then raises a tkinter.TclError. The offending code is here : https://github.com/python/cpython/blob/master/Lib/tkinter/tix.py#L204-L208

The tkinter.tix module looks for a Tix installation in the directory specified by the TIX_LIBRARY environment variable, but blindly trusts that it is a path in the filesystem. This enables a shell injection :

TIX_LIBRARY='/dev/null}; exec gsimplecal;' python2 -c "from Tix import Tk; Tk()"

or 

TIX_LIBRARY='/dev/null}; exec gsimplecal;' python3 -c "from tkinter.tix import Tk; Tk()"

Python execs gsimplecal, waits on its completion and then raises a tkinter.TclError.

The offending code is here : https://github.com/python/cpython/blob/master/Lib/tkinter/tix.py#L204-L208

History
Date	User	Action	Args
2016-12-31 19:00:30	symphorien	set	recipients: + symphorien
2016-12-31 19:00:30	symphorien	set	messageid: <1483210830.52.0.920210756798.issue29125@psf.upfronthosting.co.za>
2016-12-31 19:00:30	symphorien	link	issue29125 messages
2016-12-31 19:00:29	symphorien	create